Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

hive user unable to access external table data after Sentry enabled

avatar
author-rank venu123
Contributor

Created on ‎07-27-2015 03:53 PM - edited ‎09-16-2022 02:35 AM

Hello All,

 

I'm facing a access problem with hive user when quering external table in CDH 5.3.2 after sentry enabled

I created a external table on top of a mapreduce output directory in hdfs. After mapreduce when i query external table it say's 

 

Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): Permission denied: user=hive, access=READ_EXECUTE, inode="/data/payload_preprocessor/maptemp":svcvmhdpdev:hadoop:drwxrwx---

 

where svcvmhdpdev is the user who launched mapreduce job and 

/data/payload_preprocessor/maptemp is mapreduce output direcotry (also i crearted external table using this location)

 

I used follwing query to grant ALL pervillges to hive user  but it's not working

 

GRANT ALL ON URI 'hdfs://data/payload_preprocessor/maptemp' TO ROLE admin_role;

 

Only option is set HDFS ACL's, but /data/payload_preprocessor/maptemp is a mapreduce output directory which need to be deleted everytime before mapreduce job.

 

Question is how do i grant read permissions to hive user permanently even directory deleted and created again?

 

 

Thanks,

Venu

7,796 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Rusty M
Explorer

Created ‎07-28-2015 05:54 AM

Hey venu123,

Hive does not pass though sentry so it will not adhere to any rules you set directly in sentry, it only looks at facl's. To manage hdfs permissions with sentry you have to enable the plugin for hdfs/sentry sync and configure it appropriately. With the sync enabled hive checks the configuration then references the group in sentry but the group will be applied authentically as a facl by sentry. 

 

To get items working use the "hadoop fs -setfacl" command to add the user as a facl. To have make the user add authentically as files are deleted and created add them to the default ACL on the root folder. (Please note this was hit and miss for me, sometimes worked other times did not)

 

Example add to default ACL

 

hadoop fs -setfacl -m -R default:username:r-x /<path>

View solution in original post

7,737 Views
0 Kudos
2 REPLIES 2

avatar
author-rank venu123
Contributor

Created ‎07-27-2015 09:14 PM

I think default ACLS's is the solution to inherit parent directory ACL's. Still not clear why GRANT ALL ON URI 'hdfs://data/payload_preprocessor/maptemp' TO ROLE admin_role; is not working 😞

 

Thanks,

Venu

7,755 Views
0 Kudos

avatar
author-rank Rusty M
Explorer

Created ‎07-28-2015 05:54 AM

Hey venu123,

Hive does not pass though sentry so it will not adhere to any rules you set directly in sentry, it only looks at facl's. To manage hdfs permissions with sentry you have to enable the plugin for hdfs/sentry sync and configure it appropriately. With the sync enabled hive checks the configuration then references the group in sentry but the group will be applied authentically as a facl by sentry. 

 

To get items working use the "hadoop fs -setfacl" command to add the user as a facl. To have make the user add authentically as files are deleted and created add them to the default ACL on the root folder. (Please note this was hit and miss for me, sometimes worked other times did not)

 

Example add to default ACL

 

hadoop fs -setfacl -m -R default:username:r-x /<path>

7,738 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements